From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, FORGED_GMAIL_RCVD,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 7ad4ca7f for ; Thu, 5 Sep 2019 19:50:55 +0000 (UTC) Received: (qmail 3793 invoked by alias); 5 Sep 2019 19:50:48 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44731 Received: (qmail 23841 invoked by uid 1010); 5 Sep 2019 19:50:47 -0000 X-Qmail-Scanner-Diagnostics: from 195-159-176-226.customer.powertech.no by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.101.2/25559. spamassassin: 3.4.2. Clear:RC:0(195.159.176.226):SA:0(1.3/5.0):. Processed in 2.390571 secs); 05 Sep 2019 19:50:47 -0000 X-Envelope-From: gcszd-zsh-workers@m.gmane.org X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: none (ns1.primenet.com.au: domain at m.gmane.org does not designate permitted sender hosts) X-Injected-Via-Gmane: http://gmane.org/ To: zsh-workers@zsh.org From: Stephane Chazelas Subject: Re: arithmetic expression from outside Date: Thu, 5 Sep 2019 20:49:13 +0100 Message-ID: <20190905194913.2lc3az7obp2uem7i@chaz.gmail.com> References: <69f3c9f0-b91b-beb1-d36c-854bb4eb3ff3@iij.ad.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: NeoMutt/20171215 Content-Disposition: inline In-Reply-To: 2019-09-05 11:22:53 -0700, Bart Schaefer: [...] > % N='sum[$(echo Hello, world!>&2)]' bash -c 'echo $((N))' > Hello, world! > 0 > > Zsh at least does not do that with parameters from the environment, > although I'm not exactly sure what prevents it. It does, but the variable has to be an array: $ N='psvar[$(echo Hello, world!>&2)]' zsh -c 'echo $((N))' Hello, world! zsh:1: bad math expression: empty string See also https://unix.stackexchange.com/questions/172103/security-implications-of-using-unsanitized-data-in-shell-arithmetic-evaluation That's regularly reported as a security vulnerability or at least a misfeature that causes security vulnerabilities (to bash and zsh at least; first time I heard about it was from Oliver Kiddle here shortly after shellshock) and I agree it is. It would be nice if something could be done about it, but I'm not sure there's an easy solution other than redesigning a new arithmetic expression parsing from scratch. POSIX gets in the way because it requires $(($1)) to be done in two steps: first expansion of $1 and then evaluation of the expression resulting from that expansion (so with a value like PATH=7734, you get a nasty side effect even with dash or other shells that don't have extensions over the standard). I'm not sure we can do anything safe without coming up with a completely new, incompatible and pretty limited syntax. -- Stephane